RSA Mechanism Remap for FIPS Compliance
Under FIPS 186-3/4, the only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation is no longer approved for operation in a FIPS-compliant HSM.
| Supported Mechanisms | FIPS-mode Allowed Mechanisms |
|---|---|
| PKCS, X9.31, 186-3 with primes, 186-3 with aux primes | 186-3 with primes, 186-3 with aux primes |
Luna HSM Client allows you to automatically remap calls to these old, less-secure mechanisms, to new mechanisms that are FIPS-approved. This remapping can allow you to operate the HSM securely without having to rewrite your applications. With this feature enabled, the following remapping is applied:
>Calls for PKCS key generation using CKM_RSA_PKCS_KEY_PAIR_GEN are remapped to CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN, which uses 186-3 Prime key generation.
>Calls for X9.31 key generation using CKM_RSA_X9_31_KEY_PAIR_GEN are remapped to CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN, which uses 186-3 Aux Prime key generation
Effects of Remapping in FIPS Mode
When the Luna HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to OFF) or the application partition is in FIPS mode (partition policy 43: Allow non-FIPS algorithms set to 0) and RSA remapping is enabled:
>CKM_RSA_PKCS_KEY_PAIR_GEN appears in the C_GetMechanismList output.
>C_GetMechanismInfo for CKM_RSA_PKCS_KEY_PAIR_GEN returns the default information from the client library.
>CKM_RSA_X9_31_KEY_PAIR_GEN appears in the C_GetMechanismList output.
>C_GetMechanismInfo for CKM_RSA_X9_31_KEY_PAIR_GEN returns the default information from the client library.
Applying the Mechanism Remapping
Mechanism remapping has been enabled automatically in recent versions of the Luna HSM Client. Refer to the following table for older version requirements.
| Luna HSM Firmware | Luna HSM Client | To apply RSA mechanism remapping |
|---|---|---|
| Luna HSM Firmware 7.7.1 or newer | Luna HSM Client 10.4.0 or newer | If you have FIPS mode set on individual partitions (partition policy 43: Allow non-FIPS algorithms set to 0), remapping is automatic; the RSAKeyGenMechRemap configuration setting is ignored. |
| Luna HSM Client 10.1.0 or newer |
If you have FIPS mode set on the entire HSM (HSM policy 12: Allow non-FIPS algorithms set to OFF), remapping is automatic; the RSAKeyGenMechRemap configuration setting is ignored. NOTE Remapping on individual partitions requires Luna HSM Client 10.4.0 or newer. |
|
| Luna HSM Firmware 7.7.0 or older | Luna HSM Client 10.1.0 or newer | Remapping is automatic; the RSAKeyGenMechRemap configuration setting is ignored. |
| Luna HSM Client 7.4.0 or older |
Remapping must be enabled using the RSAKeyGenMechRemap setting in the Luna HSM Client configuration file (see Configuration File Summary): >Linux:
Misc = {
RSAKeyGenMechRemap=1;
}
>Windows: [Misc] RSAKeyGenMechRemap=1 |
